Among the Ukraine conflict consequences is the increased cybercrime, especially for the many companies that work with Russia. But cybersecurity is an issue that concerns everyone who exchanges data and information with any electronic device daily. Even before the Ukraine crisis with the Covid-19 pandemic – and the increase in teleworking – it became necessary to think about the creation of an ad hoc cyber defence structure in our country. The establishment of the National Agency for Cybersecurity, was indispensable for developing a national cyber resilience strategy. Recently, Prime Minister Mario Draghi signed the “National Cybersecurity Strategy 2022-2026”, which stated that 1.2% of gross national investments should be allocated annually to cybersecurity.
In the last few months many Italian online services and sites, including the Senate, Ministry of Defence and ABI (Italian Banking Association) websites were cyber-attacked (including by the Russians), the issue concerns the public as much as the private sector. The 2022 edition of the Data Breach Investigations Report by Verizon pointed out a significant increase in ransomware attacks with a 13 per cent increase in just a year. This is the “largest growth over the past five years.” In its annual report Proofpoint pointed out that 2021 was a year of great creativity for cybercriminals: threat actors turned to unconventional, people-focused methods with 100,000 daily smartphone attacks while smishing doubled compared to the previous year.
SUFFICIENT MEASURES?
Guido Moscarella, Coo of Innovery – an Italian multinational specialising in cybersecurity told Dealflower: “According to the data shared by the postal police, the first quarter of 2022 saw an increase in cyber-attacks of around 40 per cent compared to the same period last year. ‘This increase cannot be blamed entirely on the war, the number of cyber-attacks and their complexity are increasing yearly, especially in the post-pandemic era. The spread of remote working has quickly brought out new vulnerabilities, because it has expanded the perimeter of attack by cyber criminals, a perimeter that companies could not monitor.”
But are government measures sufficient? “To assess whether the planned investments are sufficient is not easy. The cost of cyber-crime is approximately €7 billion yearly. The planned investment for the agency is 623 million, to which further financial levers, such as tax relief should be added. In a country where 95 per cent of the production fabric is made up of small and medium-sized enterprises, the vast majority of which do not have an IT security system that is up to the task, due to budget problems, we would have hoped for a more substantial investment,” Moscarella said.
APPLYING GDPR
However, from SMEs to multinationals, all companies are subject to hacker attacks. Lawyer Elena Cannone, Managing Associate and Compliance and Focus Team Leader of the firm De Luca & Partners, told Dealflower: “This situation has worsened with the pandemic as corporate assets are more exposed with remote working.” But the solution may already be at hand if one looks at the GDPR. “This regulation and cybersecurity are sides of the same coin,” the lawyer said. Why? “In the regulation we talk about technical and organisational measures on cybersecurity. Everything is done under the principle of accountability: the company must make an assessment, understand the risks, survey them and, consequently, take measures appropriate to the risk level.”
If the GDPR could be a first step, Cannonne said, “we need to have an IT infrastructure that allows us to contain and reduce the risk as much as possible. Companies must be made aware of IT security, because this protects the company assets, image and reputation.” in addition to the numbers that are public, it should not be forgotten that many companies do not report hacker attacks. The ideal, is to prevent what might happen to protect the assets, but there is still a way to go. We are slowly getting there: since 2018, however, progress has been made.” What is lacking is awareness to train employees. “These must be trained and disciplined with specific and periodic training,” the lawyer emphasised.
THE TRAINING ISSUE
Training is crucial and that goes beyond the company. Moscarella said: “Italy is facing a serious gap of profiles with skills in the IT sectors, especially in cybersecurity. The lack of these profiles makes it difficult to continuously monitor critical structures and guarantee immediate action in case of need.” Innovery has two SOCs – Security Operation Centres, in Italy, which guarantee continuous monitoring, active 24/7, 365 days a year, capable of responding to any emergency. “But to increase the effectiveness of these centres, it is necessary to implement them with ever new resources, capable of dealing with cyber risks at all levels, which is why it is essential to invest in training.”
According to a recent Fortinet report – an American multinational company that develops and markets IT security software, devices, and services, Italy lacks 100,000 cyber security experts. According to the data of the 2022 Cybersecurity Skills Gap analysis, which involved 1,223 managers from as many companies in 29 countries worldwide, the shortcomings of protection systems are evident. Massimo Palermo, Fortinet’s country manager for Italy and Malta, pointed out that Italy needs at least 100,000 specialised figures considering that we are “the third country in the world most affected by ransomware attacks.”
